1. Field of the Invention
This invention relates to secure end-to-end communication systems and methods of operation. More particularly, the invention relates to a Key Ring Organizer (KRO) supporting public key infrastructure with secure end-to-end communications in conducting electronic business in a distributed information system, e.g., the Internet.
2. Background Discussion
The cross-referenced applications describe a new approach to conducting electronic business on the Internet. In this approach, digital keys replace end-user identification-password pairs as in the prior art. Public key cryptography uses mathematically related public/private key pairs. Only the private key can decrypt the information the public key has encrypted. The public key can be made available to anyone. The private key is kept secret by the holder. Just as digital keys are replacing end-user identification password, digital signatures are replacing physical signatures. A digital signature is a coded message affixed to a document or data that helps guarantee the identity of the sender, thereby providing a greater level of security than a physical signature. A digital signature identifies the sender because only the sender""s private key can create the signature. The key also helps ensure that the content of the signed message cannot be altered without the recipient being able to discover that the message has been altered.
Digital certificates are also replacing their physical counterpartxe2x80x94hard copy credentials in electronic business. Digital certificates issued by a Certification Authority vouch for (or certifies) the key of an individual, software application, organization or business. The certificate performs a role similar to that of a driver""s license or a medical diplomaxe2x80x94the certificate certifies that the bearer of the corresponding private key is authorized by an organization to conduct certain activities within that organization. As electronic business systems having secure end-to-end communications increase their use of public key infrastructure, the end-users must be able to own and hold pubic/private key pairs providing access to applications made available by business organizations for providing services and other interaction with the end-users. The value of a key pair is a function of the value of the application to which the pair access. Hence, a key which enables a end-user to withdraw millions of dollars of cash is considered quite valuablexe2x80x94in effect, equal to the value of the cash to which access is enabled.
Business application providers determine the universality of keys their applications will accept for authentication. In many casesxe2x80x94especially for applications of greater valuexe2x80x94the application provider will insist on a key issued for the express purpose of using that application and will not enable the application to accept a general purpose key pair. Keys used in this respect are dedicated to specific applications or roles for which the end-user is qualified and are, therefore, referred to as xe2x80x9crole-basedxe2x80x9d keys.
As electronic business systems using public key infrastructure grow in popularity and the applications that exploit the infrastructure increase in number and value, end-users will need to retain an increasingly large number of xe2x80x9crole-basedxe2x80x9d keys. Such keys will be stored on a variety of key rings. Some keys will be available on key rings stored in files using a standard format. Other keys will be stored on Smart Cards or other types of crypto hardware.
Accordingly, there is a need for end users to manage digital certificates as more and more certificates are accumulated to enable access to various Web-based business applications. Further, these Web-based business applications will need to initiate client operations on specific certificates, e.g., for authentication and encryption.
Prior art related to electronic business systems using public key infrastructure includes the following:
U.S. Pat. No. 4,914,176 issued Jul. 10, 1990 discloses an apparatus and method for validating that key management function requested for cryptographic key have been authorized by the originator of the key. A control vector checking unit and cryptographic instruction storage coupled to an instruction storage and a master key storage coupled to the processing means provide a secure location for executing key management function in response to received service requests.
U.S. Pat. No. 4,771,459 issued Sep. 13, 1988 discloses a system for storing and distributing keys for cryptographically protected communication. By assigning, in each group of terminals, keys to the terminals belonging to the group, the quantity of keys to be stored in each terminal can be significantly reduced.
U.S. Pat. No. 5,481,610 issued Jan. 2, 1996 discloses standardized key storage for different crypto systems. The keys are stored in an encrypted form such that their identities are not readily revealed by a dump of memory contents. The keys are extracted from a stored table and re-encrypting the entire table each time a key loader is attached to a radio.
None of the prior art discloses a system and method in which a Key Ring Organizer allows an end-user to generate, store, manage and select keys for use in digital signing of information or authenticating an end-user thereby enabling secure client/server applications to be used in an electronic business system.
An object of the invention is a Key Ring Organizer using public key infrastructure in an electronic business system requiring secure end-to-end communication.
Another object is a Key Ring Organizer and method of operation which organizes digital keys and key rings through the use of a catalog file.
Another object is a Key Ring Organizer and method of operation which provides attributes for digital keys as a basic database capability to allow a catalog file to be searched for a specific key.
Another object is a Key Ring Organizer and method of operation which allows end-users to store their keys in a convenient group which provides tracking, retrieval and security.
Another object is a Key Ring Organizer and method of operation which allows a key ring to be stored on a Smart Card, PC card, or file located on a end-user""s hard disk or diskette.
Another object is a Key Ring Organizer and method of operation which implements a set of key properties for each key and stores these key properties on a key ring along with the associated key.
Another object is a Key Ring Organizer which generates authentication and signing keys and specifies the intended use of a key as a further security enhancement.
Another object is a Key Ring Organizer and method of operation which generates client authentication using digital authentication keys which may be invoked by a Web application through a request message containing certificate and server attributes for locating specific keys.
Another object is a Key Ring Organizer and method of operation which performs digital signatures using signing keys which may be invoked by a Web application using a request message containing certificate and server attributes to locate specific keys.
Another object is a Key Ring Organizer which provides support for certifying external keys for various third party applications invoked by a Web application through a request message.
Another object is a Key Ring Organizer Language (KROL) for supporting Key Ring Organizer operations
These and other objects, features, and advantages are achieved in a computer network to which is coupled a secure server and at least one end-user terminal; a Registration Authority terminal; and an organization server. The end-user terminal includes a general purpose Web browser including a key ring Plug-in or equivalent and a Key Ring Organizer managing a set of key rings. A Smart Card reader is coupled to the end-user terminal for key mobility. Keys used for signing and authentication of messages between the end-user terminal and the secure server are stored in the key ring and managed by the Key Ring Organizer. The KRO may be accessed by a secure server to generate, store and select keys for use in signing information or authenticating an end-user thereby providing an end user access to secure applications. The KRO components are a key ring, key catalog and cryptographic hardware. The key ring stores keys in files or in crypto hardware, e.g. Smart Card. The key catalog is used to organize digital keys and key ring information enabling applications and end-users to select and identify a specific key for a particular use. The KRO maintains a reference to each key named in the catalog and the key ring on which the key is physically stored.